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9 FIELD OF THE INVENTION 

10 This invention relates generally to the field of digital certificates and 

11 certificate revocation lists (CRL). More particularly, this invention relates to a 

12 method and apparatus for providing an extension to a standard CRL that informs 
^3 the recipient if changes have or have not been made since the last CRL. 

I 4 

]|5 BACKGROUND OF THE INVENTION 

IMS Digital certificates are in wide use on the Internet and in the field of 

*i7 electronic commerce for authentication of all sorts of electronic transactions. In 

Ji8 general, such digital certificates are used to certify the identity of an entity in the 

qj 9 digital world, particularly as defined by the public key infrastructure (PKI). As digital 

liO certificates are issued and used, they often are either revoked or expire after a 

hll predetermined amount of time. In other situations, a digital certificate may be 

22 revoked or placed on hold pending some event. In order for digital certificates to 

23 be useful, it is important that those entities using digital certificates to authenticate 

24 the identity of an entity presenting the digital certificate have confidence that the 

25 digital certificate is valid. Generally, the validity of a digital certificate can be 

26 determined by reference to a Certificate Revocation List (CRL) produced by an 

27 authority that generates the certificates (usually a Certificate Authority). 

28 FIGURE 1 depicts a simple exemplary computer network 100 that utilizes 

29 a digital certificate and a Certificate Revocation List. In system 1 00, a user terminal 
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1 1 04 may request via a network (for example the Internet) 1 08, a digital certificate 

2 from a Certificate Authority 112. The Certificate Authority 1 1 2 generates and issues 

3 the certificate, which is returned to the user terminal 104. The user terminal 104 

4 can then utilize the digital certificate to carry out the transaction with another entity 

5 such as remote server 116. Such transactions may include financial transactions 

6 or any other transaction in which the identity of the user terminal 104 should be 

7 reliably authenticated. 

8 When user terminal 104 sends the digital certificate to remote server 116, 

9 the remote server 116 can inspect the digital certificate against a list of revoked 

1 0 certificates (the Certificate Revocation List) stored by the remote server 116. In the 

1 1 event remote server 1 1 6 has not obtained a recent CRL, one can be requested from 

1 2 the Certificate Authority 1 1 2. Certificate Authority 1 1 2 then either generates a new 
Jfe CRL or sends the most recently generated CRL to the remote server 1 1 6. Remote 
3f4 server 116 can then determine whether nor not the digital certificate sent by user 
fib terminal 1 04 is valid. Thus, remote server 1 1 6 can authenticate the user terminal 

a 5 5 

I$6 1 04 and determine whether or not to authorize particular transaction at hand. 

iV FIGURE 2 depicts a message flow diagram 200 for the transaction just 

t|8 described. In this message flow diagram, a certificate request 204 is sent from the 

fj9 user terminal 104 to the Certificate Authority 112. The Certificate Authority 112 

}lo generates a certificate at 208 and returns the certificate at 21 2 to the user terminal 

■MM 1 04. The user terminal 1 04 can then submit a transaction using the certificate at 

22 21 8 to the remote server 1 1 6. Remote server 1 1 6 can then request a new CRL at 

23 222 of the Certificate Authority. The Certificate Authority 1 12 then generates or 

24 retrieves a CRL at 226 and sends the CRL to the remote server 116 at 230. 

25 Depending on the nature of the transaction, the remote server 1 1 6 may process the 

26 CRL at 232 by taking various actions including, for example, sorting, filtering or 

27 reformatting the CRL and storing information in its own database. At 234, the 

28 certificate can be authenticated against the CRL data at the remote server 116. At 

29 238 the transaction can be either approved or rejected in accordance with the 

30 authentication at 234 and at 242 the approval or rejection can be confirmed with the 
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1 user terminal 1 04. Those skilled in the art will recognize that many other message 

2 flows are possible with the message flow 200 if FIGURE 2 being intended as 

3 exemplary of a simple use of a digital certificate and a Certificate Revocation List. 

4 With reference to FIGURE 3 the Certificate Authority 1 1 2 may generate the 

5 Certificate Revocation List in accordance with process 300. CRLs are generated 

6 at the Certificate Authority either on a periodic basis, or as a result of some event 

7 such as a certificate is revoked, or some combination thereof. The process starts 

8 at 302 after which a database of certificates is queried for certificates meeting a 

9 particular criteria of inactivity. One example is for the query to request all 
1 0 certificates that have been revoked. Other certificates are assumed to still be valid 
i 1 and active. 

12 At 304 the certificate database at the Certificate Authority responds to the 

5fe query with certificates meeting the specified criteria. Header information is then 

M generated, for example, in accordance with X.509 and RFC 2459 standards (or 

116 other applicable CRL standards) at 31 2 and at 31 6 the certificate is formatted (for 

LIB example, as an ASN.1 or other format CRL). The digital certificate is signed at 320 

If7 to assure its authenticity and is then stored at 322 within a computer residing at the 

;% Certificate Authority. The process returns at 326. Whenever a request is made for 

09 a new digital certificate, process 300 is carried out or, in some instances, the most 

Sb recently generated CRL may be retrieved and forwarded to the requester. 

?21 When a CRL as generated in accordance with process 300 is sent to the 

22 remote server as in 232 of process 200, the remote server may carry out any 

23 number of processes on the CRL at 232. Such processes may include merging the 

24 CRL into existing databases, reformatting the CRL or taking other potentially 

25 computationally intensive actions. When a process such as process 300 is carried 

26 out at specified time intervals, it is possible that there has been no change in the 

27 CRL since the last CRL was sent to remote server 116. In this case, such 

28 processes at 232 are redundant and wasteful. It is therefore desirable to minimize 
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1 or eliminate such processing to allow the network to carry out its functions in a 

2 responsive manner. 

3 As digital certificates find wider use, the number of such certificates issued 

4 has increased dramatically. With this increase comes an associated increase in 

5 the number of entries in a Certificate Revocation List. Accordingly, the processing 

6 at 232 as just described can become an extremely time consuming process, 

7 depending on the nature of the processing required. This is obviously undesirable 

8 since the process of authentication using the CRL should preferably be carried out 

9 in an expedient manner. 
10 

1 1 SUMMARY OF THE INVENTION 

12 The present invention relates generally to digital certificates and certificate 
^3 revocation lists. Objects, advantages and features of the invention will become 
!§4 apparent to those skilled in the art upon consideration of the following detailed 
ff5 description of the invention. 

jjfe In one embodiment consistent with the present invention, a method and 

17 apparatus for generating a CRL with a last_changed extension. When sequential 

138 CRLs are generated there is the potential that there will be no changes in the data 

pi 9 associated with the CRL. In this case a recipient of the new CRL may needlessly 

J|0 perform processing on the new CRL. A CRL consistent with embodiments of the 

+21 present invention provides an extension to specify the CRL number of the 

22 last_changed CRL. This provides the recipient with information to determine 

23 whether the new CRL should be processed or the existing data is up to date, 

24 advantageously saving processing time if no new processing is required. 

25 A method of creating a digital certificate revocation list (CRL) in a manner 

26 consistent with an embodiment of the present invention includes creating a list of 

27 digital certificates satisfying at least one inactive criterion; identifying a latest CRL 

28 in which changes have been made to the list; and storing an identity of the latest 

29 CRL in which changes have been made as a part of the CRL. 

30 A method of using a digital certificate revocation list (CRL), in a manner 
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1 consistent with an embodiment of the present invention, includes storing a first 

2 CRL, the first CRL comprising at least a list of digital certificates satisfying at least 

3 one inactive criterion and a first CRL identifier ; carrying out a processing operation 

4 on the first CRL; receiving a second CRL, the second CRL comprising at least a list 

5 of digital certificates satisfying the at least one inactive criterion, a second CRL 

6 identifier and an identity of a latest CRL having differences with the list of 

7 certificates satisfying the at least one inactive criterion; and carrying out the 

8 processing operation on the second CRL only if the identity of the latest CRL having 

9 differences with the list of certificates satisfying the at least one inactive criterion 

10 is more recent than the first CRL. 

1 1 A data structure consistent with an embodiment of the present invention, 

12 stored on a computer readable storage medium or transported over an electronic 
/fe communication medium, for a digital certificate revocation list (CRL), includes a list 
jff4 of digital certificates satisfying at least one inactive criterion; a CRL identifier; and 
Fife an identity of a latest CRL having differences with the list of digital certificates 
ife satisfying the inactive criterion. 

"f7 The above summaries are intended to illustrate exemplary embodiments of 

£18 the invention, which will be best understood in conjunction with the detailed 

■Mq description to follow, and are not intended to limit the scope of the appended 

j|o claims. 
Si 

22 BRIEF DESCRIPTION OF THE DRAWINGS 

23 The features of the invention believed to be novel are set forth with 

24 particularity in the appended claims. The invention itself however, both as to 

25 organization and method of operation, together with objects and advantages 

26 thereof, may be best understood by reference to the following detailed description 

27 of the invention, which describes certain exemplary embodiments of the invention, 

28 taken in conjunction with the accompanying drawings in which: 

29 FIGURE 1 illustrates a simple exemplary system using digital certificates. 
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1 FIGURE 2 is a signal flow diagram describing one use of a digital certificate 

2 and certificate revocation list in the system of FIGURE 1 . 

3 FIGURE 3 is a flow chart describing generation of a CRL. 

4 FIGURE 4 is a flow chart describing one method consistent with an 

5 embodiment of the present invention for generation of a CRL having a 

6 Last_Changed field as an extension. 

7 FIGURE 5 is a flow chart depicting processing of a CRL at the server 1 16 in 

8 accordance with an embodiment consistent with the present invention. 

9 FIGURE 6 illustrates a computer system suitable for use in conjunction with 
1 0 embodiments of the present invention. 

11 

=42 DETAILED DESCRIPTION OF THE INVENTION 

% %3 In the following detailed description of the present invention, numerous 

t|4 specific details are set forth in order to provide a thorough understanding of the 

r|5 present invention. However, it will be recognized by one skilled in the art that the 

if6 present invention may be practiced without these specific details or with 

M7 equivalents thereof. In other instances, well known methods, procedures, 

%if 8 components, and circuits have not been described in detail as not to unnecessarily 

; obscure aspects of the present invention. 



G20 

21 NOTATION AND NOMENCLATURE 



22 Some portions of the detailed descriptions which follow are presented in 

23 terms of procedures, steps, logic blocks, processing, and other symbolic 

24 representations of operations on data bits that can be performed on computer 

25 memory. These descriptions and representations are the means used by those 

26 skilled in the data processing arts to most effectively convey the substance of their 

27 work to others skilled in the art. A procedure, computer executed step, logic block, 

28 process, etc., is here, and generally, conceived to be a self-consistent sequence 

29 of steps or instructions leading to a desired result. The steps are those requiring 



Docket No.: SUN-6054 



PATENT 



1 physical manipulations of physical quantities. 

2 Usually, though not necessarily, these quantities take the form of electrical 

3 or magnetic signals capable of being stored, transferred, combined, compared, and 

4 otherwise manipulated in a computer system. It has proven convenient at times, 

5 principally for reasons of common usage, to refer to these signals as bits, values, 

6 elements, symbols, characters, terms, numbers, or the like. 

7 It should be borne in mind, however, that all of these and similar terms are 

8 to be associated with the appropriate physical quantities and are merely convenient 

9 labels applied to these quantities. Unless specifically stated otherwise as apparent 

10 from the following discussions, it is appreciated that throughout the present 

11 invention, discussions utilizing terms such as "processing" or "sending" or 

12 "receiving" or "authenticating" or "generating" or "determining" or "displaying" or 
;|3 "recognizing" or the like, refer to the action and processes of a computer system, 
#4 or similar electronic computing device, that manipulates and transforms data 
f§5 represented as physical (electronic) quantities within the computer system's 
[16 registers and memories into other data similarly represented as physical quantities 
^7 within the computer system memories or registers or other such information 
QQ storage, transmission or display devices. 

I 9 

% CRL LAST CHANGED EXTENSION OR ATTRIBUTE IN ACCORDANCE WITH 

Si THE INVENTION 

22 While this invention is susceptible of embodiment in many different forms, 

23 there is shown in the drawings and will herein be described in detail specific 

24 embodiments, with the understanding that the present disclosure is to be 

25 considered as an example of the principles of the invention and not intended to limit 

26 the invention to the specific embodiments shown and described. In the description 

27 below, like reference numerals are used to describe the same, similar or 

28 corresponding parts in the several views of the drawings. 



29 
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1 It is desirable to minimize or eliminate the processing of a CRL that has not 

2 changed since the most recently received CRL. Currently, there is no main 

3 mechanism for accomplishing this. The present invention utilizes an extension to 

4 the standard CRL format to introduce a field referred to herein as "last_changed". 

5 This field indicates provides an identifier of the CRL (i.e., the CRL number) of the 

6 last CRL that has been changed since the current CRL. 

7 In order to implement this change in one embodiment, process 400 in 

8 FIGURE 4 is utilized starting at 402. At 404 an integer N and the variable 

9 last_changed are both initialized at a value of 1 . At 408, CRL #1 is generated, 

1 0 signed and saved using a technique such as data process 300 of FIGURE 3 or any 

11 other suitable process. A timer is then initialized at 412 and the value of the 

12 counter N is incremented by 1 at 416. The timer initialized at 412 is utilized to 
1|3 establish the periodic time intervals between generation of new Certificate 
$4 Revocation Lists. The timer is inspected at 420 to determine if it has expired and 
|j5 the process awaits expiration of the timer at 420. 

Ife When the timer has expired at 420, CRL #N is generated at 424. At 430, the 

S 7 data entries listing the revoked certificate numbers in CRL #N are prepared to those 

P|8 entries in CRL #N-1 to determine if any change has taken place. If any change has 

ii9 taken place, those entries will be unequal and control passes to 434. At 434 the 

So value of last_changed is updated to N and CRL #N. CRL #N is then signed at 438 

H>1 with a digital signature and saved at 442. The timer is then reset at 446 and control 

22 returns to 416 where the value of N is incremented and the process repeats. 

23 In the event CRL #N's data is equal to the data at CRL #N-1 at 430, 434 is 

24 skipped and the process proceeds to 438 where the CRL #N is signed, saved at 

25 442 and the timer is reset at 446. In this manner, the value of last_changed is 

26 incremented whenever there is a change in two adjacently generated certificate 

27 revocation lists. Thus, when terminal 1 16 receives a new CRL, it can determine 

28 whether or not processing should be carried out in the new CRL by simply reading 
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1 the value of last_changed. This is depicted in connection with FIGURE 5 as 

2 process 500. 

3 Process 500 of FIGURE 5 starts at 502 after which a request is sent to the 

4 Certificate Authority at 222. At 230, CRL is received from this Certificate Authority. 

5 In one embodiment, once the portion of the CRL containing the last_changed is 

6 received, the remaining portion of the CRL can be ignored or rejected. In other 

7 embodiments the entire CRL is received at 230. At 51 2, the value of last_changed 

8 is compared to the CRL number of the most recently saved CRL at the server 1 16. 

9 If last_changed is greater than the CRL number of the most recently saved CRL at 

10 512, then the new CRL is saved at 516 (or, if necessary, the remainder is first 

1 1 received) and a new CRL is processed at 232 and the certificate is authenticated 

12 at 234 before returning at 530. In the event the value of last_changed is not greater 
d§3 than the CRL number of the most recently saved CRL at 512, 516 and 232 can be 
pA skipped and the process proceeds directly to authentication using the previously 
[jf 5 received CRL (whose data has not been changed). In this manner, the process in 
^6 232 of the new CRL can be avoided if there is no change in the data between the 
;i 7 most recently received CRL and the current CRL at server 1 1 6. 

pi 8 Referring now to FIGURE 6, the process of FIGURE 4 can be carried out at 

Q( 9 the certificate authority using a computer system such as that illustrated in FIGURE 

§0 6 as 600. Similarly, the process of FIGURE 5 can be carried out in a computer 

f 1t\ system such as 600 in server 116. Computer system 600 includes a central 

22 processor unit (CPU) 61 0 with an associated bus 61 5 used to connect the central 

23 processor unit 61 0 to Random Access Memory 620 and Non-Volatile Memory 630 

24 in a known manner. An output mechanism at 640 may be provided in order to 

25 display or print output for the computer administrator. Similarly, input devices such 

26 as keyboard and mouse 650 may be provided for the input of information from the 

27 computer administrator. Computer 600 also may include disc storage 660 for 

28 storing large amounts of information such as the list of certificates issued and the 

29 most recent Certificate Revocation List as well as any other information as 
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1 required. Computer system 600 is coupled to the network (e.g., the Internet) using 

2 a network connection 670 such as an Ethernet adapter coupling computer system 

3 600 through a fire wall and/or locally a network to the Internet. 

4 Those skilled in the art will recognize that the present invention has been 

5 described in terms of exemplary embodiments based upon use of a programmed 

6 processor. However, the invention should not be so limited, since the present 

7 invention could be implemented using hardware component equivalents such as 

8 special purpose hardware and/or dedicated processors which are equivalents to 

9 the invention as described and claimed. Similarly, general purpose computers, 

10 microprocessor based computers, micro-controllers, optical computers, analog 

1 1 computers, dedicated processors and/or dedicated hard wired logic may be used 

12 to construct alternative equivalent embodiments of the present invention. 

■13 Those skilled in the art will appreciate that the program steps used to 

jj4 implement the embodiments described above can be implemented using disc 

r$Ip5 storage as well as other forms of storage including Read Only Memory (ROM) 

| Me devices, Random Access Memory (RAM) devices; optical storage elements, 
magnetic storage elements, magneto-optical storage elements, flash memory, core 

Q8 memory and/or other equivalent storage technologies without departing from the 

M9 present invention. Such alternative storage devices should be considered 

N§0 equivalents. 

3l The present invention is preferably implemented using a programmed 

22 processor executing programming instructions that are broadly described above in 

23 flow chart form, and that can be stored in any suitable electronic storage medium 

24 or that can be transmitted over any electronic communication medium. However, 

25 those skilled in the art will appreciate that the processes described above can be 

26 implemented in any number of variations and in many suitable programming 

27 languages without departing from the present invention. For example, the order of 

28 certain operations carried out can often be varied, and additional operations can be 

29 added without departing from the invention. Error trapping can be added and/or 

30 enhanced and variations can be made in user interface and information 
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1 presentation without departing from the present invention. Such variations are 

2 contemplated and considered equivalent. 

3 While the invention has been described in conjunction with specific 

4 embodiments, it is evident that many alternatives, modifications, permutations and 

5 variations will become apparent to those skilled in the art in light of the foregoing 

6 description. Accordingly, it is intended that the present invention embrace all such 

7 alternatives, modifications and variations as fall within the scope of the appended 

8 claims. 

9 What is claimed is: 
0 
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